VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 14, 2011· Updated Apr 29, 2026

CVE-2011-3254

CVE-2011-3254

Description

Cross-site scripting (XSS) vulnerability in Calendar in Apple iOS before 5 allows remote attackers to inject arbitrary web script or HTML via an invitation note.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Apple iOS Calendar via invitation notes allows remote attackers to inject arbitrary script; fixed in iOS 5.

Vulnerability

Cross-site scripting (XSS) vulnerability in the Calendar application in Apple iOS versions before 5.0. An attacker can inject arbitrary web script or HTML through a crafted invitation note. Affected versions: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad. [1]

Exploitation

An attacker sends a malicious invitation note containing JavaScript or HTML to a victim using an affected iOS device. The victim opens the invitation in the Calendar app, which renders the note without proper sanitization, executing the injected script. No authentication or special privileges required beyond sending an invitation. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary script in the context of the Calendar application, potentially leading to disclosure of sensitive information, session hijacking, or other actions within the user's iOS environment. [1]

Mitigation

Fixed in iOS 5, released October 12, 2011. Users should update to iOS 5 or later via iTunes. No workaround available for earlier versions. [1]

References
  1. About the security content of iOS 5 Software Update - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • Apple Inc./Iphone Os13 versions
    cpe:2.3:o:apple:iphone_os:4.2:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:o:apple:iphone_os:4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.5:-:ipad:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.5:-:ipodtouch:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.